Experimenting with a new practice for pre-announcing vulnerability disclosures

Michael McNally mcnally at isc.org
Thu May 14 08:35:43 UTC 2020

Hey BIND-users,

I hope that most of you are already subscribed to the bind-announce list.
But for those who are not, bind-announce is another public list operated
by Internet Systems Consortium.  It is a low-traffic list which ISC staff
use to make announcements concerning the BIND project -- most frequently
about the release of new versions of BIND or occasionally when we disclose a
serious security vulnerability.  You can subscribe by going to: https://lists.isc.org

The reason I bring it up is that ISC is experimenting with a new practice
to extend our Security Vulnerability Disclosure Process.  After observing
this practice being used successfully by other open-source projects, we
have modified our disclosure policy to allow us to (optionally) make a
limited pre-announcement giving a "heads up" a few days before a public
disclosure occurs.

Such pre-announcements, should they occur, will be posted to the bind-announce
list and you can see the first example of one in the list archives even if
you are not a subscriber:


Michael McNally
ISC Support

More information about the bind-users mailing list